What is a PGP key server?

PGP (“pretty good privacy”) (on Wikipedia) is a standard for encrypting and signing messages. Every person using PGP posesses a pair of a private and a public key. The public key you can send to everyone you want to exchange messages with, the private key, which is encrypted with a password, you keep safe. When you send a message to someone else, you can encrypt it using their public key, but it can only be decrypted by the person who posesses the private key belonging to that public key. This way, everyone can encrypt messages addressed to a specific person, but only the person themselves can decrypt it.

You can also sign a message with your private key, and everyone can verify with your public key that the message has been signed by you. This way, it can be verified that the author of a message is the actual person they claim to be, as only they who posess the private key can make a signature with it.

As everyone can create PGP keys with any name and e-mail address they like, PGP uses the so-called “Web of Trust” to verify that a key actually belongs to the person you want to communicate with. Everyone can sign someone elses key when they are sure (by meeting them in person and possibly checking their government-issued ID card) that the name and e-mail address set in the key are correct. This way, a “chain of trust” can be built: When you have signed a friend’s key and this friend has signed another person’s key, you can be pretty sure that that other person’s key can be trusted.

A PGP key server is a website where people can upload their public keys. This makes it easy for people to encrypt messages they send to them, as they can search the key online, and it is not necessary for the recipient to manually send their public key to everyone they want to receive messages from. Also, a key server aggregates key signatures that people upload, which can increase the trustworthiness of keys, as a key is more trustworthy the more keys have signed it that you trust. Without a key server, this amount of trust could only be achieved by re-sending your key to everyone you have given it to every time someone new signs it. This is particularly important for so-called “revocation signatures”. When for example your laptop is stolen, there is a probability that someone has access to your private key, so it is not safe to use it anymore. When you revoke the key and upload the revocation signature to a key server, everyone who wants to send a message to you will see that it is not safe to encrypt it with that key.